Motivation
PostgreSQL has just detected to a really bad information disclosure bug, CVE-2017-7547.
Unfortunately upgrading to a fixed version (for Debian see their security-tracker on CVE-2017-7547) is not enough, existing installations need manual work, as described in PostgreSQL's own news article 1772 describes. That howto is not only less then optimal (first half of step 4 should happen before step 3 for easier scripting) there does not seem to be a script yet.
Therefore I decided to create the following scripts ...
Scripted Solution (for 'main' cluster)
pg_fix_usermappings.sql code
For manual execution and the interested here is what our full script (see below) puts in /tmp/pg_fix_user_mappings.sql
and "executes" on all databases after making additional config changes to and restarting postgres:
What happens in pg_fix_usermappings.sh
The script pg_fix_usermappings.sh
performs the following operations:
- Some santiy checks. It's safe to call the script without any parameters
- Create
/tmp/pg_fix_user_mappings.sql
(see above) - Copy
postgres.conf
topostgres.conf.bak
- Patch
postgresql.conf
withallow_system_table_mods=true
- Restart postgres
- Sleep 60 seconds, because postgres start asynchronously
- Enable changes to
template0
- Apply
/tmp/pg_fix_user_mappings.sql
to ALL databases - Disable changes to
template0
- Restore
postgresql.conf.bak
topostgres.conf
- Restart postgres again
pg_fix_usermappings.sh download & execution
To try to fix your PostgreSQL installation in a debian or similar environment:
- Review
pg_fix_usermappings.sh
- Review it!
- Download and execute it as user postgres
Overall (several variants, read before execution)
# download cd /tmp wget https://download.clazzes.org/pg_fix_usermappings/pg_fix_usermappings.sh # make it executable, for user postgres chmod ugo+rx pg_fix_usermappings.sh # it's safe to call the script without any parameters ... pg_fix_usermappings.sh # execute for 9.6 as root sudo -u postgres pg_fix_usermappings.sh 9.6 # or execute for 9.6 as non-root sudo sudo -u postgres pg_fix_usermappings.sh 9.6 # or execute for 9.6 for the bold skipping do-you-really-want-it backcheck sudo sudo -u postgres pg_fix_usermappings.sh --yes 9.6 # or execute logging the output ( sudo sudo -u postgres pg_fix_usermappings.sh 9.6 ) 2>&1 |tee /var/tmp/pg_fix_usermappings.log # after success sudo mv /var/tmp/pg_fix_usermappings.log /var/log/postgresql/